Hello,
I am setting up a VPN tunnel between a Fortigate and a stormshield using a VTI to mount IPSEC (Phase 2).
Below is my architecture
The tunnel is well assembled and UP (phase1 + phase2)
Phase-2 is mounted on the VTI (architecture constraint) . I want to communicate between my 2 remote LANs
I configure a sercurity-policy to manage my trafic and configure static route that goes to reach the LANs behind each firewall.
Traffic can't pass. After debug, the packet always stops at phase-2 on the fortigate side.
I would like to know how to make my VTI a network gateway to be able to route my current LAN and my future LANs.
Or I want some feedback of someone who build VPN with Fortigate and stormshield using VTI as gateway
Sincerely
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @NRA,
Can you provide the debug flow for the traffic when replicating the issue as well as the VPN details on the fortigate?
di vpn ike gateway list name <tunnel_name>
di vpn tunnel list name <tunnel_name>
We will need to see how fortigate is processing the traffic.
Kind Regards,
Hello, you can see it below :
fwcore01 (CAMPUS-DMZ) # get vpn ike gateway
vd: CAMPUS-DMZ/1
name: TLS_FBR
version: 2
interface: port7 13
addr: 10.0.90.49:500 -> 10.0.90.50:500
created: 13055s ago
peer-id: 10.0.90.50
peer-auth: no
IKE SA created: 1/1 established: 1/1 time: 20/20/20 ms
IPsec SA created: 1/44 established: 1/44 time: 0/21/40 ms
id/spi: 6897 74dce6c8b5bbd15d/3f2dc09e7d7d79a9
direction: responder
status: established 13055-13055s ago = 20ms
proposal: aes-256-sha256
SK_ei: c2da386335219d3d-6d4899d4658f9ad2-ac1cbbdc3b8a3a9b-a2e74581c3201040
SK_er: 401034255b0c2d24-4fc6ed2e120c9913-f038326274e2f2aa-832dc7def480835e
SK_ai: 61758040c5464378-6d7ddd24777825d2-5d447043ffa6eee1-64236c17b860656e
SK_ar: d569bae2f12912cd-a713fa24bc821a01-047ec78fba1a9def-da4fcb39e71734ea
lifetime/rekey: 21600/8274
DPD sent/recv: 00000058/00000058
fwcore01 (CAMPUS-DMZ) # diagnose vpn tunnel list
list all ipsec tunnel in vd 1
------------------------------------------------------
name=TLS_FBR ver=2 serial=f 10.0.90.49:0->10.0.90.50:0 tun_id=10.0.90.50 tun_id6=::10.0.90.50 dst_mtu=1300 dpd-link=on weight=1
bound_if=13 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=sync-primary accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=4 ilast=3 olast=3 ad=/0
stat: rxp=2620 txp=6877 rxb=295646 txb=127068
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=88
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=IPSEC_TLS_FBR proto=0 sa=1 ref=3 serial=100 auto-negotiate ads adf
src: 0:10.0.91.49-10.0.91.49:0
dst: 0:10.0.91.50-10.0.91.50:0
SA: ref=3 options=19a27 type=00 soft=0 mtu=1230 expire=2238/0B replaywin=2048
seqno=db esn=0 replaywin_lastseq=000000da qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=3332/3600
dec: spi=9fb20ba3 esp=aes key=32 a884165412f6d90424a09741e5baa6a991b7bb7ab1fd3cf48c4d5e537e1a061b
ah=sha256 key=32 4df1b43a2f95ca442838788fcb054b57029a033c278f489443c72bf018754380
enc: spi=c77b898b esp=aes key=32 e2ccf35b7dba5a55d24a26bb00f3c8e14231cfd506dbcf9bc46f1c5cced10b25
ah=sha256 key=32 080bd74afbc760b35224482e81e4acb29484d73f0cde33fdbf6d4a03d727b691
dec:pkts/bytes=436/15696, enc:pkts/bytes=436/31392
npu_flag=00 npu_rgwy=10.0.90.50 npu_lgwy=10.0.90.49 npu_selid=147 dec_npuid=0 enc_npuid=0
run_tally=0
Thanks
Hi @NRA,
Can you collect debug flow and share the outputs? Please refer to this article: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...
Regards,
Created on 07-08-2024 12:01 AM Edited on 07-08-2024 12:03 AM
Hello,
Hello, you can see i the debug flow below :
fwcore01 (CAMPUS-DMZ) # diag debug app ike -1
Debug messages will be on for 23 minutes.
fwcore01 (CAMPUS-DMZ) #
fwcore01 (CAMPUS-DMZ) # diagnose debug console timestamp enable
fwcore01 (CAMPUS-DMZ) #
fwcore01 (CAMPUS-DMZ) # diagnose debug enable
fwcore01 (CAMPUS-DMZ) # 2024-07-03 12:19:20.530032 ike 1:TLS_FBR:IPSEC_TLS_FBR: IPsec SA connect 13 10.0.90.49->10.0.90.50:0
2024-07-03 12:19:20.530054 ike 1:TLS_FBR:IPSEC_TLS_FBR: using existing connection
2024-07-03 12:19:20.530067 ike 1:TLS_FBR:IPSEC_TLS_FBR: config found
2024-07-03 12:19:20.530075 ike 1:TLS_FBR:IPSEC_TLS_FBR: tunnel is up, ignoring connect event
2024-07-03 12:19:22.675418 ike 1:TLS_FBR:IPSEC_TLS_FBR: IPsec SA connect 13 10.0.90.49->10.0.90.50:0
2024-07-03 12:19:22.675440 ike 1:TLS_FBR:IPSEC_TLS_FBR: using existing connection
2024-07-03 12:19:22.675453 ike 1:TLS_FBR:IPSEC_TLS_FBR: traffic triggered, serial=96 1:10.10.72.2:2048->1:192.168.1.3:0
2024-07-03 12:19:22.675460 ike 1:TLS_FBR:IPSEC_TLS_FBR: config found
2024-07-03 12:19:22.675468 ike 1:TLS_FBR:IPSEC_TLS_FBR: IPsec SA connect 13 10.0.90.49->10.0.90.50:500 negotiating
2024-07-03 12:19:22.675487 ike 1:TLS_FBR:6897:3252 initiating CREATE_CHILD exchange
2024-07-03 12:19:22.675493 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: PFS enabled
2024-07-03 12:19:22.675517 ike 1:TLS_FBR:6897: enc 2800003400000030010304049FB20B870300000C0100000C800E0100030000080300000C030000080400001C0000000805000000220000149AC
E439152C56EAF31BFEEBDCF99AD822C000048001C0000480AA163488DE9C74FD22CDB5F36F65D4D1CE79AE3DF70909535E833287BEB6D947ADFC7165C9A1EDC8651203850D4D537A0EE84B2B600AAF13EEBF16
BD846DA2D00002802000000070000100000FFFF0A0A48020A0A4802070000100000FFFF00000000FFFFFFFF0000002802000000070000100000FFFF0A211A030A211A03070000100000FFFF00000000FFFFFFF
F0F0E0D0C0B0A0908070605040302010F
2024-07-03 12:19:22.675571 ike 1:TLS_FBR:6897: out 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E2024000000000E0000013021000114CC9A22102A5EBECE7D0E940F400A64D6C82BAE3926328225023
4E75C76B1BF6FEAC1B6DC63BF4A8E9A52D5A03E81C2DAF31A8ACE0AF2BBEA715903183C795FD0C2A2B3553001B90713C9F62F18DCDAF489C0A77D7D714F5A4EC85390B63585CA59B32D286977EE0DFB5B28F7F
88C0E9FE45F3EBFAB08B54D69F06C3CDA244A5D91B37BF486633D14D5153721F8ECA72A190DB11581B0D7747D0BBDA1096C51E3DB593E06234B54AF43F3C96EBD4B9A34EA52564A5A481487BB1486397D30177
F518867FB7792C93AE5F6C4531CE53A7DC7DDC7E75411A47605CD06B557540877174D4BE2973CFCE7476523056B883BC074C03709C6CD3302E621946CF011DC024A83AE25C39AB1D36698B7231075135D
2024-07-03 12:19:22.675601 ike 1:TLS_FBR:6897: sent IKE msg (CREATE_CHILD): 10.0.90.49:500->10.0.90.50:500, len=304, vrf=0, id=74dce6c8b5bbd15d/3f2dc09e7d7d79a9:00000
00e
2024-07-03 12:19:22.705716 ike 1: comes 10.0.90.50:500->10.0.90.49:500,ifindex=13,vrf=0....
2024-07-03 12:19:22.705733 ike 1: IKEv2 exchange=CREATE_CHILD_RESPONSE id=74dce6c8b5bbd15d/3f2dc09e7d7d79a9:0000000e len=288
2024-07-03 12:19:22.705741 ike 1: in 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E2024280000000E00000120210001046EB9AD5BBB2449B1C25D9FEF08D02C6464F240332DFF0666548D05E690E61940B
744A3DED3B979A2F1B3EC4C1765278F7C1E83761ECC42BFE1568E2298D714F6BDD85966BBAB230EF7BB8BB6FCDCDC9BB9B157C4EBC4D762E238E204269C05D576ED1ED1B49AAC88395BDDBD9B465206CAA45D7
27AAFE574909D787E2E41146CCDF17C801045196FBC10F619E69D32EF442239723FA11D2162310F4C375B0059153144E48C6AC9B36DA34929386FD349F677E51C06F005FE29107035F333FAE505F69202685DC
17FCE75041703BF70F7386A106E3D6C4E150BDC5FFB5FF677D086F0983AC99CFC6C4E400CA0957CEE854041336AF17C500D424BE0ABCE782AF2
2024-07-03 12:19:22.705752 ike 1:TLS_FBR: HA state master(2)
2024-07-03 12:19:22.705782 ike 1:TLS_FBR:6897: dec 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E2024280000000E000000F021000004280000340000003001030404CEAAB9E90300000C0100000C800
E0100030000080300000C030000080400001C000000080500000022000024467322E7424105A896C3ADFF9D7A3AF20B0FF902A6D54DDFF2A62B23B2B1450A2C000048001C0000046C03EE85871EAFF0BB5DEFF
99B0EFD1993407C36408E805BC197D7461961A66E013E8E5A4359AA72F0EC3E0D8F3F1F10EC3DC75F7B29579E5AFAA5F41C9A342D00001801000000070000100000FFFF0A005B310A005B31000000180100000
0070000100000FFFF0A005B320A005B32
2024-07-03 12:19:22.705792 ike 1:TLS_FBR:6897: received create-child response
2024-07-03 12:19:22.705798 ike 1:TLS_FBR:6897: initiator received CREATE_CHILD msg
2024-07-03 12:19:22.705803 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: found child SA SPI 9fb20b87 state=3
2024-07-03 12:19:22.705809 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: PFS enabled, group=28
2024-07-03 12:19:22.706761 ike 1:TLS_FBR:6897:3252: peer proposal:
2024-07-03 12:19:22.706770 ike 1:TLS_FBR:6897:3252: TSr_0 0:10.0.91.50-10.0.91.50:0
2024-07-03 12:19:22.706776 ike 1:TLS_FBR:6897:3252: TSi_0 0:10.0.91.49-10.0.91.49:0
2024-07-03 12:19:22.706782 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: comparing selectors
2024-07-03 12:19:22.706796 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: matched by rfc-rule-2
2024-07-03 12:19:22.706801 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: phase2 matched by subset
2024-07-03 12:19:22.706807 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: accepted proposal:
2024-07-03 12:19:22.706813 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: TSr_0 0:10.0.91.50-10.0.91.50:0
2024-07-03 12:19:22.706818 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: TSi_0 0:10.0.91.49-10.0.91.49:0
2024-07-03 12:19:22.706824 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: autokey
2024-07-03 12:19:22.706829 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: incoming child SA proposal:
2024-07-03 12:19:22.706834 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: proposal id = 1:
2024-07-03 12:19:22.706839 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: protocol = ESP:
2024-07-03 12:19:22.706844 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: encapsulation = TUNNEL
2024-07-03 12:19:22.706849 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: type=ENCR, val=AES_CBC (key_len = 256)
2024-07-03 12:19:22.706854 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: type=INTEGR, val=SHA256
2024-07-03 12:19:22.706859 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: type=DH_GROUP, val=ECP256BP
2024-07-03 12:19:22.706863 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: type=ESN, val=NO
2024-07-03 12:19:22.706869 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: matched proposal id 1
2024-07-03 12:19:22.706874 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: proposal id = 1:
2024-07-03 12:19:22.706878 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: protocol = ESP:
2024-07-03 12:19:22.706883 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: encapsulation = TUNNEL
2024-07-03 12:19:22.706887 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: type=ENCR, val=AES_CBC (key_len = 256)
2024-07-03 12:19:22.706892 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: type=INTEGR, val=SHA256
2024-07-03 12:19:22.706896 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: type=DH_GROUP, val=ECP256BP
2024-07-03 12:19:22.706900 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: type=ESN, val=NO
2024-07-03 12:19:22.706905 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: lifetime=3600
2024-07-03 12:19:22.706932 ike 1:TLS_FBR: schedule auto-negotiate
2024-07-03 12:19:22.706938 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: replay protection enabled
2024-07-03 12:19:22.706943 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: set sa life soft seconds=3297.
2024-07-03 12:19:22.706948 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: set sa life hard seconds=3600.
2024-07-03 12:19:22.706969 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: IPsec SA selectors #src=1 #dst=1
2024-07-03 12:19:22.706975 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: src 0 7 0:10.0.91.49-10.0.91.49:0
2024-07-03 12:19:22.706981 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: dst 0 7 0:10.0.91.50-10.0.91.50:0
2024-07-03 12:19:22.706987 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: add dynamic IPsec SA selectors
2024-07-03 12:19:22.707007 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: added dynamic IPsec SA proxyids, existing serial 98
2024-07-03 12:19:22.707013 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: add IPsec SA: SPIs=9fb20b87/ceaab9e9
2024-07-03 12:19:22.707018 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: IPsec SA dec spi 9fb20b87 key 32:4772BD9315B1A7EDDC13B643C63E3B2ED3E9E485B6ED6088523E12CB1E748FA2 au
th 32:BFDC9CEA2BEF0DCD604FCC45F218BCD43A2CA35E6DFE10B8C63D0337EA8BCE79
2024-07-03 12:19:22.707024 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: IPsec SA enc spi ceaab9e9 key 32:B50B5A2A191D9D8A6901C47123E85E481B9F42C6AC2BA07A3E235BC284377EB5 au
th 32:B8DFE056D79117B6C3C35618278F1BB00D33F5C6E3E241F1C04098F6B85856EA
2024-07-03 12:19:22.707111 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3252: added IPsec SA: SPIs=9fb20b87/ceaab9e9
2024-07-03 12:19:22.707132 ike 1:TLS_FBR: HA send IKE connection add 10.0.90.49->10.0.90.50
2024-07-03 12:19:22.707147 ike 1:TLS_FBR:6897: HA send IKE SA add 74dce6c8b5bbd15d/3f2dc09e7d7d79a9
2024-07-03 12:19:22.707156 ike 1:TLS_FBR: HA send IKEv2 message ID update send/recv=15/14
2024-07-03 12:19:22.707179 ike 1:TLS_FBR: IPsec SA c9be46cc/9fb20b83 hard expired 13 10.0.90.49->10.0.90.50:0 SA count 3 of 3
2024-07-03 12:19:22.707194 ike 1:TLS_FBR: IPsec SA 9fb20b83 delete failed: 2
2024-07-03 12:19:22.707200 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3243: sending delete for IPsec SA SPI 9fb20b83
2024-07-03 12:19:22.707208 ike 1:TLS_FBR:6897:3253: send informational
2024-07-03 12:19:22.707215 ike 1:TLS_FBR:6897: enc 0000000C030400019FB20B8303020103
2024-07-03 12:19:22.707236 ike 1:TLS_FBR:6897: out 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E2025000000000F000000502A000034D4A96A6BAE04F904B57C11913F6B795769823B9D826CCF36173
B364A918A9972A707D0F1B65ED3E551075B35D4B361D8
2024-07-03 12:19:22.707255 ike 1:TLS_FBR:6897: sent IKE msg (INFORMATIONAL): 10.0.90.49:500->10.0.90.50:500, len=80, vrf=0, id=74dce6c8b5bbd15d/3f2dc09e7d7d79a9:00000
00f
2024-07-03 12:19:22.730360 ike 1: comes 10.0.90.50:500->10.0.90.49:500,ifindex=13,vrf=0....
2024-07-03 12:19:22.730382 ike 1: IKEv2 exchange=INFORMATIONAL_RESPONSE id=74dce6c8b5bbd15d/3f2dc09e7d7d79a9:0000000f len=80
2024-07-03 12:19:22.730389 ike 1: in 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E2025280000000F000000502A00003447020B07C55C83C316CB604128F78F15BAC75EB93A5CCD84FF3BFC3F497EB4EDE
69EFD4BA8AAC8ADA20CB8B6F944DF74
2024-07-03 12:19:22.730397 ike 1:TLS_FBR: HA state master(2)
2024-07-03 12:19:22.730440 ike 1:TLS_FBR:6897: dec 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E2025280000000F0000002C2A0000040000000C03040001C9BE46CC
2024-07-03 12:19:22.730448 ike 1:TLS_FBR:6897: received informational response
2024-07-03 12:19:22.730454 ike 1:TLS_FBR:6897:3253: processing informational acknowledgement
2024-07-03 12:19:22.730460 ike 1:TLS_FBR:6897: processing delete ack (proto 3)
2024-07-03 12:19:22.730466 ike 1:TLS_FBR: deleting IPsec SA with SPI c9be46cc
2024-07-03 12:19:22.730494 ike 1:TLS_FBR: IPsec SA with SPI c9be46cc deletion failed: 2
2024-07-03 12:19:23.683655 ike 1:TLS_FBR:IPSEC_TLS_FBR: IPsec SA connect 13 10.0.90.49->10.0.90.50:0
2024-07-03 12:19:23.683674 ike 1:TLS_FBR:IPSEC_TLS_FBR: using existing connection
2024-07-03 12:19:23.683681 ike 1:TLS_FBR:IPSEC_TLS_FBR: traffic triggered, serial=96 1:10.10.72.2:2048->1:192.168.1.3:0
2024-07-03 12:19:23.683687 ike 1:TLS_FBR:IPSEC_TLS_FBR: config found
2024-07-03 12:19:23.683695 ike 1:TLS_FBR:IPSEC_TLS_FBR: IPsec SA connect 13 10.0.90.49->10.0.90.50:500 negotiating
2024-07-03 12:19:23.683712 ike 1:TLS_FBR:6897:3254 initiating CREATE_CHILD exchange
2024-07-03 12:19:23.683717 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: PFS enabled
2024-07-03 12:19:23.683737 ike 1:TLS_FBR:6897: enc 2800003400000030010304049FB20B880300000C0100000C800E0100030000080300000C030000080400001C000000080500000022000014C5E
576559CA6E767283678574E0E43A32C000048001C0000939B9C03AB0908C3E429B071C0B9C8BAAA02FA906A7E9F24B1EE1EB6170234A3014E61FA1A116E606BA72E07ABA41E046EAC8563B8190ECB39E2281F1
20EA24B2D00002802000000070000100000FFFF0A0A48020A0A4802070000100000FFFF00000000FFFFFFFF0000002802000000070000100000FFFF0A211A030A211A03070000100000FFFF00000000FFFFFFF
F0F0E0D0C0B0A0908070605040302010F
2024-07-03 12:19:23.683784 ike 1:TLS_FBR:6897: out 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E202400000000100000013021000114CA5D4C07BF1BAFF6746AE8E9E57CFCF55FE9E2F537A0C0CC18A
D1D270464747D2C3FE6AD1FFE14B085010C2867813CF527A8419D1192FEAFC936423DD2D4EB82BFEAF5029B1830A9AC6B54E9A5E942BE3B8B5CBC76A4E43FCB718E3A0273BE25A9D5804D71B9F1AA5D2383658
20B013426CBBC9E811BB78C71DD359781F7F58B003678C2EEDDFDED32F2AD94882C932742A6F4C7456B9E5A86F61C2DBF53DF96B6A3DDAE817E64CE4C327E44C4694F6D0004150D8D84B68F0B8021137857071
787FD25FAB90DE4455C8A64C36B9B51244079B694593797FC1D13938FD786D8493558F1141446437FFDAFD3DA2C7152BF15C05209EE4F80F5158AC250D34853694D51A596F0AD883D9A62F6D5669066F6
2024-07-03 12:19:23.683811 ike 1:TLS_FBR:6897: sent IKE msg (CREATE_CHILD): 10.0.90.49:500->10.0.90.50:500, len=304, vrf=0, id=74dce6c8b5bbd15d/3f2dc09e7d7d79a9:00000
010
2024-07-03 12:19:23.713764 ike 1: comes 10.0.90.50:500->10.0.90.49:500,ifindex=13,vrf=0....
2024-07-03 12:19:23.713779 ike 1: IKEv2 exchange=CREATE_CHILD_RESPONSE id=74dce6c8b5bbd15d/3f2dc09e7d7d79a9:00000010 len=288
2024-07-03 12:19:23.713786 ike 1: in 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E2024280000001000000120210001044FDD7805E61021FC2769F917FB6A7A3F4363E5E094B3FA7E6D2D96582888DE66B
A08E333139C6CEB2E0EE8A72218FF49E42780D2260BC013419503251D065F797CBE89C790D357948131244842153E02F78D617D812A297ECA4A99F4469EA0FDA3F1646AD1E8721C997A660CC3CEE975F432740
F857C3C273CEFCEDD3471EC66E55A671085C08E1AF4625D075BB41352DF7B157FEB71075B605B6F37C622E18A5D5E666B1AA81523EC22A5C1C0DC85CFC25BDBF4220F78FBE63908320F67D3ABB86BA1046037F
2F6FEEB867ED5EA8837FE8FF35E8E4091E431068134EA8E0AFCC686E1A90648C3967DD746C8920E45BD5A457E2CB6A64208784919F4D50AA3D5
2024-07-03 12:19:23.713799 ike 1:TLS_FBR: HA state master(2)
2024-07-03 12:19:23.713826 ike 1:TLS_FBR:6897: dec 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E20242800000010000000F021000004280000340000003001030404C2EBD85C0300000C0100000C800
E0100030000080300000C030000080400001C00000008050000002200002441D442A818A0F27B11366FEB2438A32DEC91A04565BDBCC3EA93D9F9DADB6D6D2C000048001C00005538F07366FE361E838C9A093
52E906A4540060F86083C22F37BA9A847151FEF73B1001A1CA42793DCA9087766C29085D789F8BDA97D359E768D273D931FAF802D00001801000000070000100000FFFF0A005B310A005B31000000180100000
0070000100000FFFF0A005B320A005B32
2024-07-03 12:19:23.713837 ike 1:TLS_FBR:6897: received create-child response
2024-07-03 12:19:23.713842 ike 1:TLS_FBR:6897: initiator received CREATE_CHILD msg
2024-07-03 12:19:23.713847 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: found child SA SPI 9fb20b88 state=3
2024-07-03 12:19:23.713852 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: PFS enabled, group=28
2024-07-03 12:19:23.714798 ike 1:TLS_FBR:6897:3254: peer proposal:
2024-07-03 12:19:23.714806 ike 1:TLS_FBR:6897:3254: TSr_0 0:10.0.91.50-10.0.91.50:0
2024-07-03 12:19:23.714812 ike 1:TLS_FBR:6897:3254: TSi_0 0:10.0.91.49-10.0.91.49:0
2024-07-03 12:19:23.714816 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: comparing selectors
2024-07-03 12:19:23.714822 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: matched by rfc-rule-2
2024-07-03 12:19:23.714827 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: phase2 matched by subset
2024-07-03 12:19:23.714833 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: accepted proposal:
2024-07-03 12:19:23.714838 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: TSr_0 0:10.0.91.50-10.0.91.50:0
2024-07-03 12:19:23.714843 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: TSi_0 0:10.0.91.49-10.0.91.49:0
2024-07-03 12:19:23.714848 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: autokey
2024-07-03 12:19:23.714854 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: incoming child SA proposal:
2024-07-03 12:19:23.714859 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: proposal id = 1:
2024-07-03 12:19:23.714864 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: protocol = ESP:
2024-07-03 12:19:23.714868 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: encapsulation = TUNNEL
2024-07-03 12:19:23.714873 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: type=ENCR, val=AES_CBC (key_len = 256)
2024-07-03 12:19:23.714878 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: type=INTEGR, val=SHA256
2024-07-03 12:19:23.714882 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: type=DH_GROUP, val=ECP256BP
2024-07-03 12:19:23.714887 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: type=ESN, val=NO
2024-07-03 12:19:23.714893 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: matched proposal id 1
2024-07-03 12:19:23.714897 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: proposal id = 1:
2024-07-03 12:19:23.714901 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: protocol = ESP:
2024-07-03 12:19:23.714905 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: encapsulation = TUNNEL
2024-07-03 12:19:23.714910 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: type=ENCR, val=AES_CBC (key_len = 256)
2024-07-03 12:19:23.714914 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: type=INTEGR, val=SHA256
2024-07-03 12:19:23.714919 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: type=DH_GROUP, val=ECP256BP
2024-07-03 12:19:23.714923 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: type=ESN, val=NO
2024-07-03 12:19:23.714927 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: lifetime=3600
2024-07-03 12:19:23.714954 ike 1:TLS_FBR: schedule auto-negotiate
2024-07-03 12:19:23.714959 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: replay protection enabled
2024-07-03 12:19:23.714965 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: set sa life soft seconds=3300.
2024-07-03 12:19:23.714969 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: set sa life hard seconds=3600.
2024-07-03 12:19:23.714992 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: IPsec SA selectors #src=1 #dst=1
2024-07-03 12:19:23.714998 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: src 0 7 0:10.0.91.49-10.0.91.49:0
2024-07-03 12:19:23.715004 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: dst 0 7 0:10.0.91.50-10.0.91.50:0
2024-07-03 12:19:23.715008 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: add dynamic IPsec SA selectors
2024-07-03 12:19:23.715028 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: added dynamic IPsec SA proxyids, existing serial 98
2024-07-03 12:19:23.715033 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: add IPsec SA: SPIs=9fb20b88/c2ebd85c
2024-07-03 12:19:23.715038 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: IPsec SA dec spi 9fb20b88 key 32:96E54106D2BB77F08E898CC92A94A8FDC3FF331ADE2FAA5F3724076509CB235F au
th 32:EC5D771FC5BDEE17C2AE8F9DFEEF77F0BD67CF42B3DA51B3E6EC76CC0A1110F6
2024-07-03 12:19:23.715044 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: IPsec SA enc spi c2ebd85c key 32:1441E30198DF61D7F31D741ECC32941E5DE0063E84E97111B686B3EE6DE96C05 au
th 32:3DE489B1A28B1A454EA8202F2906DBED6F63F758AFC0F449A390AA265E16E8A1
2024-07-03 12:19:23.715131 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3254: added IPsec SA: SPIs=9fb20b88/c2ebd85c
2024-07-03 12:19:23.715152 ike 1:TLS_FBR: HA send IKE connection add 10.0.90.49->10.0.90.50
2024-07-03 12:19:23.715166 ike 1:TLS_FBR:6897: HA send IKE SA add 74dce6c8b5bbd15d/3f2dc09e7d7d79a9
2024-07-03 12:19:23.715174 ike 1:TLS_FBR: HA send IKEv2 message ID update send/recv=17/14
2024-07-03 12:19:23.715198 ike 1:TLS_FBR: IPsec SA cd8ff751/9fb20b84 hard expired 13 10.0.90.49->10.0.90.50:0 SA count 3 of 3
2024-07-03 12:19:23.715212 ike 1:TLS_FBR: IPsec SA 9fb20b84 delete failed: 2
2024-07-03 12:19:23.715217 ike 1:TLS_FBR:6897:IPSEC_TLS_FBR:3245: sending delete for IPsec SA SPI 9fb20b84
2024-07-03 12:19:23.715225 ike 1:TLS_FBR:6897:3255: send informational
2024-07-03 12:19:23.715233 ike 1:TLS_FBR:6897: enc 0000000C030400019FB20B8403020103
2024-07-03 12:19:23.715253 ike 1:TLS_FBR:6897: out 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E20250000000011000000502A0000342263CE9F2C00ED5A77445E4CEA050271CCD081C637682996546
080567AE798EDE3ED3318FDBB670BC4D22D5F02215B0F
2024-07-03 12:19:23.715274 ike 1:TLS_FBR:6897: sent IKE msg (INFORMATIONAL): 10.0.90.49:500->10.0.90.50:500, len=80, vrf=0, id=74dce6c8b5bbd15d/3f2dc09e7d7d79a9:00000
011
2024-07-03 12:19:23.738291 ike 1: comes 10.0.90.50:500->10.0.90.49:500,ifindex=13,vrf=0....
2024-07-03 12:19:23.738316 ike 1: IKEv2 exchange=INFORMATIONAL_RESPONSE id=74dce6c8b5bbd15d/3f2dc09e7d7d79a9:00000011 len=80
2024-07-03 12:19:23.738322 ike 1: in 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E20252800000011000000502A000034DAEDC685ED93B543838D87E7C4B9A7C60E552AEC3731E6F618BB8542D2D35FFC8
669BB9457B703509BF3796EB428EBCA
2024-07-03 12:19:23.738330 ike 1:TLS_FBR: HA state master(2)
2024-07-03 12:19:23.738372 ike 1:TLS_FBR:6897: dec 74DCE6C8B5BBD15D3F2DC09E7D7D79A92E202528000000110000002C2A0000040000000C03040001CD8FF751
2024-07-03 12:19:23.738380 ike 1:TLS_FBR:6897: received informational response
2024-07-03 12:19:23.738385 ike 1:TLS_FBR:6897:3255: processing informational acknowledgement
2024-07-03 12:19:23.738391 ike 1:TLS_FBR:6897: processing delete ack (proto 3)
2024-07-03 12:19:23.738397 ike 1:TLS_FBR: deleting IPsec SA with SPI cd8ff751
2024-07-03 12:19:23.738429 ike 1:TLS_FBR: IPsec SA with SPI cd8ff751 deletion failed: 2
2024-07-03 12:19:26.083269 ike 1:TLS_FBR: HA IPsec send ESP seqno=436, num=4
2024-07-03 12:19:28.690038 ike 1:TLS_FBR:IPSEC_TLS_FBR: IPsec SA connect 13 10.0.90.49->10.0.90.50:0
2024-07-03 12:19:28.690057 ike 1:TLS_FBR:IPSEC_TLS_FBR: using existing connection
2024-07-03 12:19:28.690062 ike 1:TLS_FBR:IPSEC_TLS_FBR: config found
2024-07-03 12:19:28.690069 ike 1:TLS_FBR:IPSEC_TLS_FBR: tunnel is up, ignoring connect event
2024-07-03 12:19:33.700035 ike 1:TLS_FBR:IPSEC_TLS_FBR: IPsec SA connect 13 10.0.90.49->10.0.90.50:0
2024-07-03 12:19:33.700052 ike 1:TLS_FBR:IPSEC_TLS_FBR: using existing connection
2024-07-03 12:19:33.700058 ike 1:TLS_FBR:IPSEC_TLS_FBR: config found
2024-07-03 12:19:33.700065 ike 1:TLS_FBR:IPSEC_TLS_FBR: tunnel is up, ignoring connect event
Hi @NRA,
Those are IKE debugs. Please run debug flow instead as per this article: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1698 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.